After staying mum for a week, OnePlus announced today that it will address a high-severity security flaw in its flagship phones with an update set to roll out this week. The issue is related to the app locker feature in OxygenOS, which lets you lock apps behind a PIN or password (think of your banking app), so they can only be opened from within your phone after you provide the proper credentials.
But after installing such a locked-down app on an unpatched device, another installed malicious app could access the text messages stored inside: SMS and MMS content system managers could read those sensitive messages without any user consent; not quite what users expect when they enable features like PIN protection. The vulnerability, indexed as CVE-2025-10184 and reported by security company Rapid7, exposes a direct threat to privacy and all SMS-based two-factor authentication.
Rapid7 says that private attempts to notify OnePlus of the vulnerability went nowhere (for a long time), leading to public disclosure. It wasn’t until then that OnePlus confirmed a fix is on the way in an upcoming software update.
What the OxygenOS flaw allows malicious apps to do
Per Rapid7’s investigation, with an affected OnePlus device, any installed (and seemingly benign) app could access the SMS/MMS message contents and all related metadata on the device without requiring the SMS permission; to sum it up, this is a troubling privacy oversight that only requires the user to install an app.
In practical terms, this undermines the Android permission model and sets up a hidden channel for text harvesting.
That access can be used to intercept one-time verification codes that are sent over SMS. Though the reads occur inconspicuously, with no alerts or notifications, victims would get no indication that messages are being surreptitiously scraped.
Which OnePlus devices are vulnerable to the flaw
Rapid7 claims the flaw impacts OxygenOS and was likely present in the operating system in previous releases. The company confirmed the issue had been tested on a OnePlus 8T under OxygenOS 12 and on a OnePlus 10 Pro under OxygenOS 14 and 15. The flaw was not present in the versions of OxygenOS 11 that testers used, which indicated to researchers that the regression started with OxygenOS 12.
OnePlus hasn’t released an official list of models affected, but the danger also clearly applies to any devices running a susceptible build of OxygenOS. Next time your handset is updated, you should apply this security update as well.
Why this vulnerability endangers SMS-based 2FA codes
A number of consumer services still use SMS to send login verification codes. Security guidance from standards organizations like NIST has for years classified SMS one-time passwords as a restricted factor since SIM swapping, message interception, and device malware can all be used to steal them. Risks such as CVE-2025-10184 further increase that risk by subverting the normal Android permission checks.
Industry bodies such as the FIDO Alliance applaud phishing-resistant measures, like passkeys or hardware security keys, while platforms are increasingly recommending using an authenticator app in place of SMS. This incident demonstrates why those migrations are relevant.
How OnePlus is responding and when to expect a patch
After the public disclosure, OnePlus announced that it will fix it in an upcoming OxygenOS update. The company has a policy of providing security updates for several years for its devices, and this patch is likely to be distributed in the form of a regular over-the-air update.
Rapid7’s write-up points a finger at the breakdown of the so-called coordinated vulnerability disclosure process, in which researchers and vendors have direct communication before details are publicly disclosed. It’s good to see the eventual confirmation from OnePlus; regaining a prompt security response will be crucial in maintaining the confidence of OnePlus users.
What OnePlus users can do now to reduce their risk
While waiting for the patch to arrive, OnePlus owners can also minimize exposure by moving from SMS codes to authenticator apps, passkeys, or hardware keys when and where possible. Check installed applications and uninstall any you don’t actually use, resist the temptation to sideload APK files from unofficial locations, and keep Google Play Protect turned on as a basic malware checker.
Think about concealing message contents on the lock screen so codes don’t leap out at anyone who might be near, and make sure that your device carries a good, strong screen lock. These measures don’t fix the root flaw, but they can help reduce the attack surface and limit avenues for opportunistic abuse.
The broader landscape for Android OEM security
Android’s permission system is constructed to guard sensitive data (like SMS) and Google has further restricted access to messaging APIs over the years. However, OEM customizations can add privileged paths that mistakenly degrade the protections. CVE-2025-10184 is a reminder that security should be verified end-to-end, including vendor skins and system apps.
For OnePlus, what counts as much as the patch itself is both how quickly it acts on those remediation steps and also a clear explanation of its breach scope. For users, the best approach in the long term is to limit dependence on SMS for authentication and apply security updates as soon as they become available.